Yellow crime scene tape on computer keyboard showing law enforcement operations on Hive ransomware gang

Hive Ransomware Shut Down by Law Enforcement Operation; FBI in Possession of Decryption Keys, Group’s Public-Facing Website

The Hive ransomware threat appears to be very much in retreat as the US Department of Justice recently announced the seizure of the group’s decryption keys and infrastructure, including its public-facing website. Hive had become one of the largest (if not the largest) ransomware-as-a-service groups in 2022 after major rivals such as REvil and Conti were sidelined by law enforcement operations and increasing international pressure.

Hive appears to be the latest added to the list of ransomware operators that got too big for their own good and drew the special attention of well-funded law enforcement operations with the resources and ability to break them up. While this usually does not put a complete end to the ransomware operators (until arrests are made), shutting them down and seizing decryption keys gives numerous victims some immediate relief.

Hive ransomware compromised by agents in mid-2022, victims furnished with decryption keys

The DOJ says that the FBI was able to infiltrate the Hive ransomware group in late July 2022, and since then has been distributing decryption keys to victims. This was apparently done quietly for about 300 victims as they were in the midst of being attacked by the group; the FBI also provided keys to about 1,000 previous victims that were hit before the law enforcement operation began. During its run Hive hit Memorial Health System of Ohio, major German electronics retailer MediaMarkt, and the New York Racing Association among other big-name victims. In total they were thought to have compromised about 1,500 victims.

The group appears to have been making use of some servers in Europe as their primary systems, as the law enforcement operation included federal police in Germany and the Netherlands who seized servers and took over the group’s public-facing websites used to extort and take payments from victims. In all the DOJ estimates the operation saved victims and potential victims from having to pay a cumulative $130 million in ransom demands, not to mention the likely remediation costs (which generally exceed ransom payment amounts by a great deal).

Hive ransomware was first spotted in 2021 and the group is thought to have racked up over $100 million in payments during its run. It is particularly difficult to clean up after as it is one of the “double extortion” strains that steals files before encrypting them and threatens to release them to the public if the ransom is not paid.

In addition to disrupting the group’s public presence and primary means of communication with victims, its Tor payment and data leak sites are also now in police control. If its command-and-control servers were also taken by the law enforcement operation, that would essentially put an end to the Hive ransomware group.

Some recent studies have shown a decline in ransomware operations, and Roger Grimes (data-driven defense evangelist at KnowBe4) notes that aggressive law enforcement operations are likely a big part of that: “Cut off a tentacle and another tentacle grows. We’ve had several disruptions in the past and they are always temporary and either the same ransomware group revives or another new group takes over its place. But I will say that what CISA, DOJ, and the FBI are doing to disrupt ransomware is having a real impact. The ransomware gangs are finding it increasingly hard to make a living extorting companies. Extortion payments are down big time. More victims aren’t paying. And it’s becoming increasingly harder for the bad guys to make the same level of revenue they made in the past. Ransomware is still rampant, but what the feds are doing is putting a damp in their step…it is having real, long-term impact. This latest announcement is just another drop in the bucket sending the message to ransomware groups that they are facing a legal adversary that fights back!”

FBI-led law enforcement operation turns up information on 250 Hive affiliates

RaaS groups generally do not do much direct penetration of victim networks; affiliates find a way in, then turn to the ransomware operators to complete the job, encrypt victim files and handle the shakedown portion of the operation, all in return for a cut of the eventual ransom payment. The FBI warrant application indicates that it found information about 250 of the Hive ransomware affiliates that are most directly responsible for breaching target networks, hopefully providing leads that take some proficient criminal hacking teams out of operation.

The Hive ransomware group is thought to be based in Russia and to have incorporated some members of the Conti gang when that group dissolved under pressure in mid-2022. Conti experienced a schism when some group leadership opted to pledge support to the Russian government after the invasion of Ukraine, and a Ukrainian member responded by leaking internal group chats that provided valuable intelligence to law enforcement operations. Out of apparent fear of investigation after this incident, Conti broke up and its members are believed to have scattered to various other ransomware operations.

Unless they happen to be scooped up by law enforcement, the members of Hive will likely scatter and regroup elsewhere in a similar manner. If the group members are in Russia, there is very little chance of law enforcement operations taking them into custody, though the prospect is not impossible: early in 2022, prior to the Ukraine invasion, negotiations between the Biden and Putin administrations led to the arrest of numerous individuals involved in the Colonial Pipeline attack.

But Tom Kellermann, CISM and Senior VP of cyber strategy at Contrast Security), believes that those days are done so long as the Putin administration remains in charge: “Today’s disruption of the Russian HIVE ransomware infrastructure underscores the historic international cooperation between law enforcement agencies.  The International Ransomware taskforce is having an impact.  The real challenge lies in the protection racket that exists between the  cybercrime cartels and the Russian regime, which endows them with untouchable status from western law enforcement. We must recognize that the majority of the proceeds from ransomware allow for Russia to offset economic sanctions.”

The FBI infiltrated the Hive #ransomware group in late July 2022, and since then has distributed decryption keys to 300 victims as they were in the midst of being attacked and to about 1,000 previous victims. #cybersecurity #respectdataClick to Tweet

And Julia O’Toole, CEO of MyCena Security Solutions, notes that though good news is coming out about the ransomware market it is far from time for organizations to ease up on their awareness and security posture: “Organisations should … use this takedown as a warning that ransomware is a damaging threat that is far from over. As the number one route to a ransomware attack is by gaining initial network access, defending their network infrastructure access must be their number one priority. When it comes to defence tools, access segmentation and encryption provides the greatest protection. These solutions stop data breach from propagating through networks and morphing into a ransomware attack, while they also help prevent phishing attacks on employees, since they don’t know the passwords they use.”